Ideas & Insights

An employee who leaves to work for a competing company poses a risk to their former employer. The risk is that they may steal intellectual property stored electronically to give themselves a head start in their new company. The most common ways they do this is by copying electronic information ("data" or "file") to a USB memory stick ($10 at Stapes), attaching a file to an email and sending to their personal email (free) and/or uploading files to a 3rd party storage site on the internet such as Drop Box (free for one month). These three methods are quick and inexpensive. At the same time, stolen sensitive information can cripple a company and/or ruin somebody's reputation.

Exfiltration (removing sensitive information from the owner's control) is a growing problem in all industries. "Why invent when you can steal" seems to be the trend.

How do companies stop this from happening? It takes work and money! There are solutions to control and monitor the theft of intellectual property ("IP"). Some options are: hire IT security experts to build proactive and reactive solutions to protect IP, install and monitor data loss prevention software, sponsor periodic training on securing IP and develop tough policies on IP theft.

In most exfiltration matters the same questions arise: 1) who stole the data? 2) what was stolen? 3) when did the theft occur? and 4) how was it stolen? Then, the two questions that all consultants dread: 5) how much will this project cost? 6) when am I going to get the results? The answer to the latter is "it depends." A standard response from a consultant you may say! The truth of the matter is that the cost and duration depends on the client's goal(s): 1) simply answer the 4 W's above and the degree of certainty 2) go for legal action - cease & desist and/or 3) locate and eradicate all copies of the stolen files stored from unauthorized media. A cost benefit exercise is warranted by the company and its counsel. Although, I will offer this in general... it takes about 1.5 to 2 weeks to know whether there is merit to these types of allegations. Time is of an essence to make prudent business decisions and the stakeholders must work towards the same goal.

The goal in exfiltration matters is to compile factual evidence from electronic sources to develop a strong compelling storyline of the alleged theft. There is no such thing as 100% certainty that a particular individual(s) stole IP. Usually professionals in my field will do their very best to answer the questions at hand and find clues that will strengthen the storyline. If a computer forensics professional tells you otherwise, please contact me because I have a bridge to sell you!

Let's take two common examples how data is stolen: 1) via USB memory stick and 2) via email. In both instances, several sources of electronic information are required, forensic image of the person of interest's ("POI") computer, corporate email, server data (folders they have access to). There are other items to ask for like network security, event logs to analyze, etc. Never mind about the latter now we want to keep this section user friendly. Obtaining a forensic image is important because we want to preserve the file's metadata. The file's metadata will contain MAC dates/times (modified, access and created) critical in developing a comprehensive timeline. I do not recommend anybody to start to poke around the computer prior to a forensic image. This action will alter the MAC dates/times. I was on a conference call a few months ago on a telephone consultation. A representative from the company lets me know that she sees the files on the POI's local drive that where stolen, customer list, premium information, etc. I asked "how do you know this information?" She said "because I am looking at them now." I'm sure she was just trying to be helpful thinking that she was saving her company time and money. Indeed, data spoliation a situation one must avoid.

Dr. Edmund Locard, a French Scientist, formulated the basic forensic principal that every contact leaves a trace. For example, if a car crashed into another car, you will see car paint and other material transferred to the other car and vice versa. Same is true in the digital world.

When a USB memory stick is inserted into a PC, the windows operating systems will pause and install the proper drivers and will alert the user that the device is ready to use. At this point, the USB device has been logged in the PC's Setupapi.log file including a date stamped (date first inserted only). The PC's USBSTOR Registry records the date when the same USB device was last inserted. If the POI opens the file from the USB to make sure they have the correct file, a LNK file is created. A LNK file contains MAC dates/times and the location where the file was opened. If the date of the last time the USB was inserted and the creation date of the file precedes the POI's departure, there is strong inference that the file was stolen.

Attaching a file to an email (corporate email system) and sending it to a personal email account is another popular way to steal a file. After the POI sends the email with the stolen file as the attachments, they would probably delete the email from their sent folder. Then, delete the same email from the deleted items folder. At this point the email is no longer viewable. However, MS Outlook actually keeps deleted email for two weeks (the default setting). A qualified IT professional will be able to obtain deleted emails. After the deleted emails are obtained, using keywords such as: Yahoo.com, Gmail.com and Hotmail.com is an efficient way to search for unauthorized data transfer.

If the POI sent the email to their web based email such as Hot Mail, email artifacts in both the browser's cache and the pagefile.sys files may be present if they open their Hot Mail to check if the email was received. This will crosscheck the procedure above. Corroboration from two different sources strengthens the storyline!

To summarize: 1) never perform analysis prior to a forensic image of the computers being performed because the metadata will be altered, 2) there are clues in the computer to develop a compelling storyline of IP theft and 3) there is no such thing as 100% certainty.

Note: the items above are examples from a prior project. Not all projects are approached the same way or yield the same results.

Fast Growing Companies – Challenges and Solutions

By: Steve Y. Lehrer, CPA

As your business begins to grow, your risks may begin to grow and evolve. Investors and stakeholders will be comforted knowing that you understand the new risks and challenges facing your business, and that you have them under control. Risks may manifest and change in a variety of ways. Your future success will be driven by the way your business deals with these risks and challenges.

In order to identify and mitigate these risks, FGCs need to build the right foundation comprising of plans, objectives, policies, processes and performance indicators that can help the company fast track its growth in a stable manner. Rapid growth can be very challenging. A major reason why fast-growing companies struggle is their inability to keep up with the many tasks required to facilitate such rapid expansion.

Common performance challenges may include:

Lack of proper business planning

Unclear objectives and priorities leading to “Management by fire fighting”

Ad-hoc policies and processes

Cash Flow Management constraints

Lack of clear insight into business performance and profitability

Inadequate systems and controls

Here are some objectives that should be set by the owners and respective management, and monitored to ensure a healthy and productive growth:

Administrative

A clearly defined mission, which is documented and conveyed to all employees

A written sales plan with an identified niche, pricing policy and targeted customers

An annual budget that is realistic and flexible, and is compared to actual results